Hi

We have a Blackberry Server that sends the mail out via our Proxy Server. Our Security team wants to move that to the DMZ Part of our network. What needs to be done for Blackberry to still work. I check some stuff on the web and they talk about a blackberry router that you can put in the dmz, but we dont have one.

Hope i gave enough information.

Thanks

BlackBerry Router is a Service on the BES, that can be installed on a separate box, inside the DMZ.

I would check the BES documentation for your particular version.

You would need a seperate server to in the DMZ to run the BES Router service. You then need open ports for the BES to talk to it's router. That still leaves a way in. If I can get to oyur Router, I could use those open ports to get into your network.

All BES requires is port 3101 OUTBOUND to be open. It's as secure as can be.

Hi I found the following Q&A:

Q) can we have the BB server setup in DMZ. If so can someone explain me the advantages and disadvantages?

Thanks,
Sridhar

A) Yes. No point really though since you will have to poke a ton of holes in your firewall.. If you are not hosting MDS applications BES doesn't require any open incoming ports, so again no point... RIM has a lot of documentation about this.

My Q: If there are no open incomming ports, how does the blackberry sync back to the mailbox if you delete mail on the device?

Is it really necesary to have the BB Server in a DMZ??

Thanks,

The BB Router can be installed in the DMZ. All other BES components need to be behind the firewall.

Hi

Can you add a blackberry router to an existing BES setup. Like i said in the first reply: we have an existing BES network all working, but now they want to move it to the DMZ, i read somewhere that you can only add a BB router when you install the Server. is it possible to remove the bb router service from the existing server and move it to a machine (BTW what is the hardware specs for a bb router, i can only find the os requirements) in the dmz and make that the BB router???

Sorry i am new to the BES enviroment

Thanks,

Hi Frikkels,

as other told you before, the best thing is to install a BlackBerry router on your DMZ Network. It can be done using the setup file used to install BES Server. At the beginning, there are some installation option, which one of them is the BB Router installation.

Once installed, you don't need to uninstall the local BB Router but you have to configure the BES to forward TCP 3101 traffic to the new BB Router:
from the BES, open BlackBerry Server Configuration and, under Router settings, change the SRP address with the IP address of your BB Router. Leave the other settings (all TCP ports 3101). Obviously, the BB Router has to be configured to point the Internet SRP address (for Italy is the srp.it.blackberry.net).

We have that kind of configuration and I can confirm you that you have to open only the outgoing TCP port 3101:

BES -(TCP 3101)-> BB Router -(TCP 3101)-> Internet RIM SRP

Moreover, BB Router can run with local system account privileges so you can have a standalone machine in DMZ. Otherwise you have also to allow on the firewall all the traffic needed by a member server of an M$ AD Domain (RPC, Kerberos, LDAP and more.................).

Bye.